<!DOCTYPE html>
<html lang="en" country="us">
<head>

<script data-cfasync="false">
        !function(e,a,n,t){
            var i=e.head;
            if(i){
                if (a) return;
                var o=e.createElement("style");
                o.id="alloy-prehiding",o.innerText=n,i.appendChild(o),setTimeout(function(){o.parentNode&&o.parentNode.removeChild(o)},t)
            }
        }(document, document.location.href.indexOf("adobe_authoring_enabled") !== -1, "[data-target-location='true'] { opacity: 0 !important}", 3000);
        function loadScript(t,a,e){(a=t.createElement("script")).type="text/javascript",a.dataset.cfasync=!1,a.async=1,a.onload=function(){},a.src=e,t.getElementsByTagName("head")[0].appendChild(a)}
        if (window.location.hostname.startsWith('www.crowdstrike.')) {
            ((e,t)=>loadScript(e,t,"https://assets.adobedtm.com/d72cd986aea0/09e1256af957/launch-6cccf53edc18.min.js"))(document);
        } else {
            ((e,t)=>loadScript(e,t,"https://assets.adobedtm.com/d72cd986aea0/09e1256af957/launch-19765e16f88b-development.min.js"))(document);
        }
    </script>

<script type="text/javascript" src="https://cdn.cookielaw.org/consent/bee15b7c-b632-450e-9003-9c8b60b3b978/OtAutoBlock.js"></script>
<script>
console.log("Start otSDKStub script");
if (window.location.hostname.startsWith('www.crowdstrike.')) {

    const script = document.createElement('script');

    script.setAttribute('type', 'text/javascript');
    script.setAttribute('src', 'https://cdn.cookielaw.org/scripttemplates/otSDKStub.js');
    script.setAttribute('data-document-language', 'true');
    script.setAttribute('data-domain-script', 'bee15b7c-b632-450e-9003-9c8b60b3b978');
    script.setAttribute('charset', 'UTF-8');
    document.head.appendChild(script);

    console.log("Production OT script executed");
} else {

    const script = document.createElement('script');

    script.setAttribute('type', 'text/javascript');
    script.setAttribute('src', 'https://cdn.cookielaw.org/scripttemplates/otSDKStub.js');
    script.setAttribute('data-document-language', 'true');
    script.setAttribute('data-domain-script', 'bee15b7c-b632-450e-9003-9c8b60b3b978-test');
    script.setAttribute('charset', 'UTF-8');
    document.head.appendChild(script);

   console.log("Development OT script executed - bee15b7c-b632-450e-9003-9c8b60b3b978-test");
}


console.log("End otSDKStub script");
</script>
<script type="text/javascript">
    function OptanonWrapper() { }
</script> <meta charset="UTF-8">
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta http-equiv="cleartype" content="on">
<meta http-equiv="content-language" content="en" />
<meta name="robots" content="index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1" />

<title>New Kiss-a-dog Cryptojacking Campaign Targets Docker and Kubernetes</title>
<meta name="description" content="CrowdStrike has identified a new cryptojacking campaign, called “Kiss-a-dog,” which has been observed targeting vulnerable Docker and Kubernetes infrastructure." />
<link rel="canonical" href="https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/" />
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="article" />
<meta property="og:title" content="New Kiss-a-dog Cryptojacking Campaign Targets Docker and Kubernetes" />
<meta property="og:description" content="CrowdStrike has identified a new cryptojacking campaign, called “Kiss-a-dog,” which has been observed targeting vulnerable Docker and Kubernetes infrastructure." />
<meta property="og:url" content="https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/" />
<meta property="og:site_name" content="crowdstrike.com" />
<meta property="article:publisher" content="https://www.facebook.com/CrowdStrike/" />
<meta property="article:published_time" content="2022-10-26T05:55:15+00:00" />
<meta property="article:modified_time" content="2023-11-21T18:19:37+00:00" />
<meta property="og:image" content="https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698.jpeg" />
<meta property="og:image:width" content="1060" />
<meta property="og:image:height" content="698" />
<meta property="og:image:type" content="image/jpeg" />
<meta name="author" content="Manoj Ahuje" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:creator" content="@CrowdStrike" />
<meta name="twitter:site" content="@CrowdStrike" />
<meta name="twitter:label1" content="Written by" />
<meta name="twitter:data1" content="Manoj Ahuje" />
<meta name="twitter:label2" content="Est. reading time" />
<meta name="twitter:data2" content="12 minutes" />
<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Article","@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/#article","isPartOf":{"@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/"},"author":{"name":"Manoj Ahuje","@id":"https://www.crowdstrike.com/#/schema/person/f7c66353844b7e1276065f49c51c7a08"},"headline":"CrowdStrike Identifies New Kiss-a-Dog Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Infrastructure","datePublished":"2022-10-26T05:55:15+00:00","dateModified":"2023-11-21T18:19:37+00:00","mainEntityOfPage":{"@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/"},"wordCount":1938,"publisher":{"@id":"https://www.crowdstrike.com/#organization"},"image":{"@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/#primaryimage"},"thumbnailUrl":"https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698.jpeg","keywords":["featured"],"articleSection":["Cloud and Application Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/","url":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/","name":"New Kiss-a-dog Cryptojacking Campaign Targets Docker and Kubernetes","isPartOf":{"@id":"https://www.crowdstrike.com/#website"},"primaryImageOfPage":{"@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/#primaryimage"},"image":{"@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/#primaryimage"},"thumbnailUrl":"https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698.jpeg","datePublished":"2022-10-26T05:55:15+00:00","dateModified":"2023-11-21T18:19:37+00:00","description":"CrowdStrike has identified a new cryptojacking campaign, called “Kiss-a-dog,” which has been observed targeting vulnerable Docker and Kubernetes infrastructure.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/#primaryimage","url":"https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698.jpeg","contentUrl":"https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698.jpeg","width":1060,"height":698},{"@type":"WebSite","@id":"https://www.crowdstrike.com/#website","url":"https://www.crowdstrike.com/","name":"crowdstrike.com","description":"Next-Generation Endpoint Protection","publisher":{"@id":"https://www.crowdstrike.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.crowdstrike.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://www.crowdstrike.com/#organization","name":"CrowdStrike","url":"https://www.crowdstrike.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.crowdstrike.com/#/schema/logo/image/","url":"https://www.crowdstrike.com/wp-content/uploads/2022/08/CS_Logos_2022_Inline_Red-Black_RGB.png","contentUrl":"https://www.crowdstrike.com/wp-content/uploads/2022/08/CS_Logos_2022_Inline_Red-Black_RGB.png","width":112,"height":112,"caption":"CrowdStrike"},"image":{"@id":"https://www.crowdstrike.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/CrowdStrike/","https://twitter.com/CrowdStrike","https://www.instagram.com/crowdstrike/","https://www.linkedin.com/company/crowdstrike/","https://www.youtube.com/user/CrowdStrike"]},{"@type":"Person","@id":"https://www.crowdstrike.com/#/schema/person/f7c66353844b7e1276065f49c51c7a08","name":"Manoj Ahuje","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.crowdstrike.com/#/schema/person/image/","url":"http://1.gravatar.com/avatar/10917c253c54bcd793b2f99703c1d217?s=96&d=mm&r=g","contentUrl":"http://1.gravatar.com/avatar/10917c253c54bcd793b2f99703c1d217?s=96&d=mm&r=g","caption":"Manoj Ahuje"},"url":"https://www.crowdstrike.com/blog/author/manoj-ahuje/"}]}</script>

<style id="classic-theme-styles-inline-css" type="text/css">
/*! This file is auto-generated */
.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}
</style>
<style id="global-styles-inline-css" type="text/css">
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel="stylesheet" id="single-post.min.css-css" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/pages/single-post.min.css?ver=1708658992" type="text/css" media="all" />
<link rel="stylesheet" id="crowdstrike-header-styles-css" href="https://www.crowdstrike.com/etc.clientlibs/crowdstrike/clientlibs/crowdstrike-wp-header.css?ver=6.4.3" type="text/css" media="screen" />
<link rel="stylesheet" id="theme-styles-css" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/theme-styles.min.css?ver=1708658992" type="text/css" media="screen" />
<link rel="stylesheet" id="tablepress-default-css" href="https://www.crowdstrike.com/wp-content/tablepress-combined.min.css?ver=31" type="text/css" media="all" />
<link rel="stylesheet" id="font-awesome-official-css" href="https://use.fontawesome.com/releases/v6.4.2/css/all.css" type="text/css" media="all" integrity="sha384-blOohCVdhjmtROpu8+CfTnUWham9nkX7P7OZQMst+RUnhtoY/9qemFAkIKOYxDI3" crossorigin="anonymous" />
<link rel="stylesheet" id="font-awesome-official-v4shim-css" href="https://use.fontawesome.com/releases/v6.4.2/css/v4-shims.css" type="text/css" media="all" integrity="sha384-IqMDcR2qh8kGcGdRrxwop5R2GiUY5h8aDR/LhYxPYiXh3sAAGGDkFvFqWgFvTsTd" crossorigin="anonymous" />
<script type="text/javascript" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/fetch-inject.js?ver=1708658992" id="fetch-inject-js"></script>
<script type="text/javascript" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-free-trial.min.js?ver=1708658992" id="blog-free-trial-js"></script>
<script type="text/javascript" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-categories.min.js?ver=1708658992" id="blog-categories-js"></script>
<script type="text/javascript" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-category-sidebar.min.js?ver=1708658992" id="blog-category-sidebar-js"></script>
<link rel="shortlink" href="https://www.crowdstrike.com/?p=137416" />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="32x32" />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
<meta name="msapplication-TileImage" content="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
</head><body class="post-template-default single single-post postid-137416 single-format-standard lang-en">

<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5V5LPNC&nojs=1"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<script type="application/ld+json">
    {
        "@context": "http://schema.org",
        "@type": "Organization",
        "name": "CrowdStrike",
        "url": "http://www.crowdstrike.com",
        "logo": "http://www.crowdstrike.com/wp-content/img/cs_logo.png",
        "sameAs": [
            "http://www.facebook.com/CrowdStrike/",
            "http://www.twitter.com/CrowdStrike/",
            "https://plus.google.com/101967380457820256808/",
            "http://www.linkedin.com/company/crowdstrike",
            "http://www.youtube.com/user/CrowdStrike"
        ]
    }
</script>
<div data-id="wistia_player_embed"></div>
<div id="modal-mask" class="modal_insert_location">
<div class="container">
<div class="row">
<div class="col-lg-12">
<div id="modal-inner-mask" class="modal_mask">
<div class="close_button"><i id="modal-close" class="fa fa-close"></i></div>
<div class="modal-insert-wrapper">
<h1 id="modal-title" class="modalHeaderTitle"></h1>
<div id="modal-insert" class="modal_content"></div>
</div>
</div>
</div>
</div>
</div>
</div> <div class="blog_search">
<div class="search_modal">
<div class="cs_header_container search_modal__section centered">
<div class="search_modal__content">
<div class="fa-solid fa-magnifying-glass"></div>
<input type="text" id="addsearchfield" class="addsearch" placeholder="Search" data-addsearch-id="asw_01" />
<span></span>
</div>
<script>
            window.addsearch_settings = {
                "asw_01": {
                    "placeholder": "Search",
                    "show_search_suggestions": false,
                    "search_suggestion_position": "left",
                    "default_sortby": "relevance",
                    "display_date": false,
                    "display_meta_description": false,
                    "display_result_image": true,
                    "link_target": "_self",
                    "hide_logo": true,
                    "direction": "ltr",
                    "analytics_enabled": false,
                    "automatic_filter_results_by_site_language": false,
                    "results_box_css_classname": "addsearch-results",
                    "search_query_parameter": "",
                    "automatic_filter_results_by_site_language": true
                }
            }
        </script>
<script src="https://cdn.addsearch.com/v5/addsearch-ui.min.js?key=7737a29b854de71521b1cd72c4118cfc&id=asw_01"></script>
</div>
<div class="search_modal__close"></div>
</div> </div>
<div class="blog_main_navigation">
<div data-selector="promoInsert" data-id="mainPromoBar"></div>
<div data-selector="promoInsert" data-id="secondaryPromoBar"></div> <div id="blogNavInsertLocation"></div>
</div>
<div class="cs_page_container  standard">
<div class="cs_page_content">
<div id="mobileNav" class="mobile_nav_section"></div>
<div class="cs_main_section">
<main class="main" data-ping="false"> <article>
<div class="container">
<div class="row">
<div class="col-12 col-lg-8">
<h1>CrowdStrike Identifies New Kiss-a-Dog Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Infrastructure</h1>
<div class="publish_info">
<p>October 26, 2022</p> <a href="https://www.crowdstrike.com/blog/author/manoj-ahuje/" title="Posts by Manoj Ahuje" rel="author">Manoj Ahuje</a> <a href="https://www.crowdstrike.com/blog/category/cloud-security/" title="Cloud and Application Security">Cloud and Application Security</a> </div>
<div class="post_image"><img width="1060" height="698" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698.jpeg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt decoding="async" fetchpriority="high" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698.jpeg 1060w, https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698-300x198.jpeg 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698-1024x674.jpeg 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/1022_05_Kiss-a-Dog_Blog_1060x698-768x506.jpeg 768w" sizes="(max-width: 1060px) 100vw, 1060px" /></div>
<div class="blog_content">
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">CrowdStrike has uncovered a new cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Called “Kiss-a-dog,” the campaign used multiple command-and-control (C2) servers to launch attacks that attempted to mine cryptocurrency, utilize user and kernel mode rootkits to hide the activity, backdoor compromised containers, move laterally in the network and gain persistence. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">The CrowdStrike Falcon<sup>®</sup> platform helps protect organizations of all sizes from sophisticated breaches, including cryptojacking campaigns such as this. </span></li>
</ul>
<p><span style="font-weight: 400;">CrowdStrike has identified a new cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.  </span></p>
<p><center><a href="https://www.crowdstrike.com/resources/demos/falcon-cnapp/" target="_blank" rel="noopener"><img decoding="async" src="/wp-content/uploads/2023/01/blog-CNAPP-demo.png" alt="cnapp demo" /></a></center><span style="font-weight: 400;">CrowdStrike’s Cloud Threat Research team deploys and analyzes </span><a href="https://www.crowdstrike.com/cybersecurity-101/honeypots-in-cybersecurity-explained/"><span style="font-weight: 400;">honeypots</span></a><span style="font-weight: 400;"> to understand how attackers target vulnerabilities and put cloud infrastructure at risk. CrowdStrike has previously uncovered campaigns targeting vulnerable cloud infrastructure by cryptojacking botnets/groups like </span><a href="https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/"><span style="font-weight: 400;">LemonDuck</span></a><span style="font-weight: 400;"> and </span><a href="https://www.crowdstrike.com/blog/new-docker-cryptojacking-attempts-detected-over-2021-holidays/"><span style="font-weight: 400;">Watchdog</span></a><span style="font-weight: 400;">. Kiss-a-dog relies on tools and techniques </span><a href="https://www.crowdstrike.com/blog/new-docker-cryptojacking-attempts-detected-over-2021-holidays/"><span style="font-weight: 400;">previously associated</span></a><span style="font-weight: 400;"> with cryptojacking groups like TeamTNT, which targeted vulnerable Docker and Kubernetes infrastructure. </span></p>
<p><span style="font-weight: 400;">The CrowdStrike Falcon platform protects customers and comprehensively secures cloud environments against cryptojacking campaigns like Kiss-a-dog by delivering a powerful combination of agentless capabilities to protect against misconfigurations and control plane attacks and agent-based capabilities to protect cloud workloads with runtime security. </span></p>
<p><b>The CrowdStrike Falcon platform sets the new standard in cloud security. </b><a href="https://go.crowdstrike.com/product-demo-platform.html"><b>Watch this demo to see the Falcon platform in action</b></a><span style="font-weight: 400;">.</span></p>
<h2><span style="font-weight: 400;">CrowdStrike Detection and Protection</span></h2>
<p><span style="font-weight: 400;">The </span><a href="https://www.crowdstrike.com/falcon-platform/"><span style="font-weight: 400;">Falcon platform</span></a><span style="font-weight: 400;"> unifies cloud security in a single platform to deliver comprehensive protection to its customers from any attacks on Docker and Kubernetes infrastructure. </span></p>
<p><span style="font-weight: 400;">With the Falcon platform, customers can implement </span><a href="https://www.crowdstrike.com/cybersecurity-101/shift-left-security/"><span style="font-weight: 400;">“shift-left” strategies</span></a><span style="font-weight: 400;"> to identify vulnerabilities and misconfigurations at development stage to secure Kubernetes and Docker deployments out-of-the-box, while also monitoring production environments for any suspicious activity to stop campaigns like Kiss-a-dog. The suspicious activity by the Kiss-a-dog campaign is detected by CrowdStrike’s advanced machine learning and multiple behavior-based indicator of attacks (IOAs) in the killchain of the campaign.  </span></p>
<p><span style="font-weight: 400;">The Falcon platform takes a defense-in-depth approach to protecting customers by leveraging incoming telemetry to power detection and provide real-time mitigation. It includes the following, which is used to detect a campaign like Kiss-a-dog:</span></p>
<ol>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Host path mount to escape the container</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Rogue container running on your Docker instance</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Misconfigured Kubernetes or Docker instance</span></li>
</ol>
<p><span style="font-weight: 400;">Figures 1.A and 1.B show High Confidence detection of a malicious service to run </span><span style="font-weight: 400;">[CMAKE]</span><span style="font-weight: 400;">, which is disguised </span><a href="https://github.com/xmrig/xmrig"><span style="font-weight: 400;">xmrig</span></a><span style="font-weight: 400;">.</span></p>
<div id="attachment_137423" style="width: 2193px" class="wp-caption alignnone"><img decoding="async" aria-describedby="caption-attachment-137423" class="size-full wp-image-137423" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1a.png" alt width="2183" height="750" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1a.png 2183w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1a-300x103.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1a-1024x352.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1a-768x264.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1a-1536x528.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1a-2048x704.png 2048w" sizes="(max-width: 2183px) 100vw, 2183px" /><p id="caption-attachment-137423" class="wp-caption-text">Figure 1.A</p></div>
<div id="attachment_137424" style="width: 1747px" class="wp-caption alignnone"><img decoding="async" aria-describedby="caption-attachment-137424" class="size-full wp-image-137424" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1b.png" alt width="1737" height="1008" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1b.png 1737w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1b-300x174.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1b-1024x594.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1b-768x446.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1b-1536x891.png 1536w" sizes="(max-width: 1737px) 100vw, 1737px" /><p id="caption-attachment-137424" class="wp-caption-text">Figure 1.B</p></div>
<p style="text-align: center;"><span style="font-weight: 400;">Figures 1.A and 1.B. Disguised miner process identified and killed by the Falcon platform</span></p>
<p><span style="font-weight: 400;">Moreover, the Falcon platform analyzes suspicious images and detects runtime malicious activity, network connections along with vulnerability analysis of the image to provide in-depth reports, as shown in Figure 2.</span></p>
<div id="attachment_137425" style="width: 1795px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137425" class="size-full wp-image-137425" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-28.png" alt width="1785" height="920" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-28.png 1785w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-28-300x155.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-28-1024x528.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-28-768x396.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-28-1536x792.png 1536w" sizes="(max-width: 1785px) 100vw, 1785px" /><p id="caption-attachment-137425" class="wp-caption-text">Figure 2. Falcon Dynamic Container Analysis report</p></div>
<p><b>See for yourself how the industry-leading CrowdStrike Falcon platform protects your cloud environments. </b><a href="https://go.crowdstrike.com/try-falcon-prevent.html"><b>Start your 15-day free trial today</b></a><b>.</b></p>
<h2><span style="font-weight: 400;">Kiss-a-Dog Campaign Targets Docker</span></h2>
<p><span style="font-weight: 400;">In mid-2022, a </span><a href="https://www.forbes.com/sites/billybambrough/2022/08/21/1-trillion-crypto-knife-edge-now-hinged-on-a-fed-bombshell-after-200-billion-bitcoin-ethereum-bnb-xrp-solana-cardano-and-dogecoin-price-crash/?sh=3ac7f47de2f8"><span style="font-weight: 400;">crypto crash</span></a><span style="font-weight: 400;"> caused havoc in the digital currency market where several currencies — including Bitcoin — dropped 40% to 90% and some of them perished. During this period, cryptomining activity targeting digital currencies on containerized environments remained muffled until now.</span></p>
<p><span style="font-weight: 400;">In September 2022, one of CrowdStrike’s honeypots spotted a number of campaigns enumerating vulnerable container attack surfaces like Docker and Kubernetes. As CrowdStrike monitors exposed Docker APIs, the following compromised Docker container triggered additional investigation. Figure 3 shows the entry point used to trigger the initial payload.</span></p>
<p><span style="font-weight: 400;">The Base64-encoded payload is a Python command that downloads a malicious payload </span><span style="font-weight: 400;">t.sh</span><span style="font-weight: 400;"> from the domain </span><code><span style="font-weight: 400;">kiss[.]a-dog[.]top</span></code><span style="font-weight: 400;"> — hence the Kiss-a-dog campaign name. The entry point verifies and installs cURL using a package manager and adds a malicious payload as a cron job. Let’s take a closer look at this payload and subsequent campaign.</span></p>
<div id="attachment_137427" style="width: 1510px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137427" class="size-full wp-image-137427" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-29.png" alt width="1500" height="291" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-29.png 1500w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-29-300x58.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-29-1024x199.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-29-768x149.png 768w" sizes="(max-width: 1500px) 100vw, 1500px" /><p id="caption-attachment-137427" class="wp-caption-text">Figure 3. Kiss-a-dog entry point</p></div>
<h3><span style="font-weight: 400;">Use of Obscured Domain</span></h3>
<p><span style="font-weight: 400;">The entry point payload used in the initial Docker compromise is a Python code under the wrap, as shown in Figure 4 after Base64 decode. The URL used in the payload is obscured with backslashes to defeat automated decoding and regex matching to retrieve the malicious domain. The Python urllib2 library sanitizes the back slashes as part of its validation to form a valid domain name </span><code><span style="font-weight: 400;">kiss[.]a-dog[.]top</span></code><span style="font-weight: 400;"> before querying a DNS (Domain Name System) server. Attackers used it to their advantage — Figure 5 shows a successful DNS query after parsing an actual domain name. With successful name resolution, attackers download the first payload </span><code><span style="font-weight: 400;">t.sh</span></code><span style="font-weight: 400;"> from a C2 server, which is saved and executed as </span><code><span style="font-weight: 400;">.1</span></code><span style="font-weight: 400;">.</span></p>
<div id="attachment_137428" style="width: 622px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137428" class="size-full wp-image-137428" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.18.18-PM.png" alt width="612" height="48" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.18.18-PM.png 612w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.18.18-PM-300x24.png 300w" sizes="(max-width: 612px) 100vw, 612px" /><p id="caption-attachment-137428" class="wp-caption-text">Figure 4. Decoded Kiss-a-dog entry point</p></div>
<div id="attachment_137429" style="width: 2737px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137429" class="size-full wp-image-137429" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-30.png" alt width="2727" height="613" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-30.png 2727w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-30-300x67.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-30-1024x230.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-30-768x173.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-30-1536x345.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-30-2048x460.png 2048w" sizes="(max-width: 2727px) 100vw, 2727px" /><p id="caption-attachment-137429" class="wp-caption-text">Figure 5. Successful DNS query</p></div>
<h3><span style="font-weight: 400;">Container Escape</span></h3>
<p><span style="font-weight: 400;">Container escape is the essential part of utilizing the resources on the host and moving laterally into the compromised network. The Kiss-a-dog campaign uses a </span><a href="https://docs.docker.com/storage/bind-mounts/"><span style="font-weight: 400;">host mount</span></a><span style="font-weight: 400;"> to escape from the container. The technique itself is not new and seems to be common among cryptominers as an attempt to break out of containers. This is attributed to a lack of innovation by attackers and at the same time speaks to the vast and easy Docker attack surface exposed and available on the internet. Per Shodan, there are 10,000+ Docker instances exposed to the internet, as shown in Figure 6.</span></p>
<div id="attachment_137430" style="width: 1478px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137430" class="size-full wp-image-137430" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-31.png" alt width="1468" height="1468" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-31.png 1468w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-31-300x300.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-31-1024x1024.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-31-150x150.png 150w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-31-768x768.png 768w" sizes="(max-width: 1468px) 100vw, 1468px" /><p id="caption-attachment-137430" class="wp-caption-text">Figure 6.A Docker instances exposed to internet (per Shodan)</p></div>
<div id="attachment_137431" style="width: 1212px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137431" class="size-full wp-image-137431" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-32.png" alt width="1202" height="1341" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-32.png 1202w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-32-269x300.png 269w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-32-918x1024.png 918w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-32-768x857.png 768w" sizes="(max-width: 1202px) 100vw, 1202px" /><p id="caption-attachment-137431" class="wp-caption-text">Figure 6.B Kubernetes instances exposed to internet (per Shodan)</p></div>
<h3><span style="font-weight: 400;">Removal of Cloud Monitoring Service </span></h3>
<p><span style="font-weight: 400;">Agent-based cloud monitoring services still remain an easy target for cryptominers, as they can be removed from cloud instances. After a container escape with root privileges, it is an easy step for an attacker to determine if an instance has a cloud monitoring service installed, and if so, then attackers move on to stopping and uninstalling the cloud monitoring service. The Kiss-a-dog campaign reused the following code to remove the service (shown in Figure 7). The code is traced to multiple public GitHub repositories.</span></p>
<div id="attachment_137432" style="width: 2193px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137432" class="size-full wp-image-137432" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-33.png" alt width="2183" height="1075" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-33.png 2183w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-33-300x148.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-33-1024x504.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-33-768x378.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-33-1536x756.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-33-2048x1009.png 2048w" sizes="(max-width: 2183px) 100vw, 2183px" /><p id="caption-attachment-137432" class="wp-caption-text">Figure 7. Uninstall aegis service</p></div>
<h3><span style="font-weight: 400;">Kernel Headers and GCC</span></h3>
<p><span style="font-weight: 400;">Downloading the pre-compiled binary tools can cause compatibility issues with compromised container’s architecture and flavor. To avoid that, the Kiss-a-dog campaign prefers to compile code on compromised containers for multiple tools required in the next stages of the campaign. The attacker installed a relevant kernel header and </span><a href="https://gcc.gnu.org/"><span style="font-weight: 400;">GCC</span></a><span style="font-weight: 400;"> to compile container Linux architecture and flavor-specific binaries to use on the same container.</span></p>
<h3><span style="font-weight: 400;">Use of Traditional Kernel Rootkits Diamorphine and Libprocesshider</span></h3>
<p><span style="font-weight: 400;">The Kiss-a-dog campaign uses the </span><a href="https://github.com/m0nad/Diamorphine"><span style="font-weight: 400;">Diamorphine</span></a><span style="font-weight: 400;"> and </span><a href="https://github.com/gianlucaborello/libprocesshider"><span style="font-weight: 400;">libprocesshide</span></a><span style="font-weight: 400;"> rootkits to hide the process from the user space, where the typical cloud practitioner will look for malicious activities. Both rootkits are known to hide processes from the user.</span><span style="font-weight: 400;"><br/>
</span><span style="font-weight: 400;"><br/>
</span><span style="font-weight: 400;">To avoid detection on the network, the Kiss-a-dog campaign chose to encode the C/C++ code files and embed as a Base64 string into the script, as shown in Figure 8. At runtime, attackers decoded the Base64 string as </span><code><span style="font-weight: 400;">.tar</span></code><span style="font-weight: 400;"> file, which contains code for the Diamorphine rootkit. It is then compiled using </span><a href="https://gcc.gnu.org/"><span style="font-weight: 400;">GCC</span></a><span style="font-weight: 400;"> to create the file </span><code><span style="font-weight: 400;">diamorphin.ko</span></code><span style="font-weight: 400;">, which is loaded as a kernel module using the </span><a href="https://linux.die.net/man/8/insmod"><span style="font-weight: 400;">insmod</span></a><span style="font-weight: 400;"> command.</span></p>
<div id="attachment_138801" style="width: 2037px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-138801" class="wp-image-138801 size-full" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-39.png" alt width="2027" height="968" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-39.png 2027w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-39-300x143.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-39-1024x489.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-39-768x367.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-39-1536x734.png 1536w" sizes="(max-width: 2027px) 100vw, 2027px" /><p id="caption-attachment-138801" class="wp-caption-text">Figure 8. Diamorphine rootkit compiled and loaded into the kernel</p></div>
<p><span style="font-weight: 400;">Attackers used a similar technique to compile the libprocesshider rootkit as a shared library. The difference is that the shared library path is set as </span><a href="https://man7.org/linux/man-pages/man8/ld.so.8.html"><span style="font-weight: 400;">LD_PRELOAD</span></a><span style="font-weight: 400;">. This allows the attackers to inject malicious shared libraries into every process spawned on a compromised container.</span></p>
<h3><span style="font-weight: 400;">Use of Dog Pools and Disguised Xmrig</span></h3>
<p><span style="font-weight: 400;">The motive behind the Kiss-a-dog campaign is to run a cryptominer to mine a digital currency. Attackers are using </span><a href="https://github.com/xmrig/xmrig"><span style="font-weight: 400;">XMRig</span></a><span style="font-weight: 400;">, a popular mining software, to mine the cryptocurrency. </span></p>
<p><span style="font-weight: 400;">Cryptojacking groups don’t like to advertise their wallet addresses because in the past, researchers have found their earnings per day and per campaign by tracking wallet transactions. Instead, attackers hide wallet addresses by creating anonymous pool servers where mining peers — like your compromised container — contribute compute efforts anonymously.</span></p>
<p><span style="font-weight: 400;">Interestingly, attackers used </span><code><span style="font-weight: 400;">love[.]a-dog[.]top</span></code><span style="font-weight: 400;"> and </span><code><span style="font-weight: 400;">touch[.]a-dog[.]top</span></code><span style="font-weight: 400;"> as pool servers to hide the</span> <span style="font-weight: 400;">Kiss-a-dog campaign’s wallet addresses. Figure 9.A shows the pool used in the configuration of </span><span style="font-weight: 400;">XMRig</span><span style="font-weight: 400;">. The campaign also disguises </span><span style="font-weight: 400;">XMRig</span><span style="font-weight: 400;"> as </span><code><span style="font-weight: 400;">[CMAKE]</span></code><span style="font-weight: 400;"> and installs a service to run the binary as </span><code><span style="font-weight: 400;">cmake.service</span></code><span style="font-weight: 400;">, as shown in Figure 9.B.</span></p>
<div id="attachment_137435" style="width: 1170px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137435" class="size-full wp-image-137435" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-35.png" alt width="1160" height="826" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-35.png 1160w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-35-300x214.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-35-1024x729.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-35-768x547.png 768w" sizes="(max-width: 1160px) 100vw, 1160px" /><p id="caption-attachment-137435" class="wp-caption-text">Figure 9.A. Pool configuration for the Kiss-a-dog campaign</p></div>
<div id="attachment_137436" style="width: 2424px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137436" class="size-full wp-image-137436" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-36.png" alt width="2414" height="779" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-36.png 2414w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-36-300x97.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-36-1024x330.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-36-768x248.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-36-1536x496.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Picture1-36-2048x661.png 2048w" sizes="(max-width: 2414px) 100vw, 2414px" /><p id="caption-attachment-137436" class="wp-caption-text">Figure 9.B Disguised XMRig as [CMAKE]</p></div>
<h3><span style="font-weight: 400;">Use of Pnscan, Zgrab and Masscan</span></h3>
<p><span style="font-weight: 400;">Apart from cryptojacking, the secondary goal of the campaign is to reach out to as many vulnerable instances of Redis and Docker as possible. To achieve this goal, attackers download and compile network-scanning tools like pnscan, masscan and zgrab on the compromised container. These tools then randomly scan the IP ranges on the internet to look for vulnerable instances of Docker and Redis servers. Figure 10 shows all of the tools in action.</span></p>
<div id="attachment_137451" style="width: 628px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137451" class="size-full wp-image-137451" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.28.33-PM-1.png" alt width="618" height="158" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.28.33-PM-1.png 618w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.28.33-PM-1-300x77.png 300w" sizes="(max-width: 618px) 100vw, 618px" /><p id="caption-attachment-137451" class="wp-caption-text">Figure 10. Masscan, zgrab and pnscan in action</p></div>
<h3><span style="font-weight: 400;">Redis as a Backdoor</span></h3>
<p><span style="font-weight: 400;">The Kiss-a-dog campaign installs a Redis server in the background and listens on port 6379 for any incoming connection. The Redis server is mostly used to backdoor the container where cron jobs are set to run additional scripts for mining and pivoting, as shown in Figure 11.</span></p>
<div id="attachment_137442" style="width: 603px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137442" class="size-full wp-image-137442" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.29.38-PM.png" alt width="593" height="176" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.29.38-PM.png 593w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-4.29.38-PM-300x89.png 300w" sizes="(max-width: 593px) 100vw, 593px" /><p id="caption-attachment-137442" class="wp-caption-text">Figure 11. Redis server installed on a container</p></div>
<h3><span style="font-weight: 400;">Multiple Campaigns</span></h3>
<p><span style="font-weight: 400;">The CrowdStrike Cloud Threat Research team detected multiple campaigns targeting Docker from the same C2 servers previously used by TeamTNT. Table 1 shows some of the malicious payloads used in different campaigns started by TeamTNT. According to our research, the tactics, techniques and procedures of the attack are very similar in all of the campaigns.</span></p>
<div id="attachment_137467" style="width: 641px" class="wp-caption alignnone"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-137467" class="size-full wp-image-137467" src="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-5.03.15-PM.png" alt width="631" height="465" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-5.03.15-PM.png 631w, https://www.crowdstrike.com/wp-content/uploads/2022/10/Screen-Shot-2022-10-25-at-5.03.15-PM-300x221.png 300w" sizes="(max-width: 631px) 100vw, 631px" /><p id="caption-attachment-137467" class="wp-caption-text">Table 1. Campaign payloads by TeamTNT</p></div>
<h2><span style="font-weight: 400;">Conclusion </span></h2>
<p><a href="https://www.crowdstrike.com/cybersecurity-101/cryptojacking/"><span style="font-weight: 400;">Cryptojacking groups</span></a><span style="font-weight: 400;"> are opportunistically targeting vulnerable Docker and Kubernetes environments to mine cryptocurrency. The campaigns by cryptojacking groups last from days to months depending on the success rate. As cryptocurrency prices have dropped, these campaigns have been muffled in the past couple of months until multiple campaigns were launched in October to take advantage of a low competitive environment. Cloud security practitioners need to be aware of such campaigns and make sure that their cloud infrastructure doesn’t fall prey.</span><span style="font-weight: 400;"> </span></p>
<p><span style="font-weight: 400;">Securing containers doesn’t need to be an overly complex task. The Falcon platform provides a unified approach to cloud security, delivering a powerful combination of agentless capabilities to identify security issues in your environment in real time and agent-based capabilities to protect workloads and secure your cloud environments with runtime security.</span></p>
<p><span style="font-weight: 400;">CrowdStrike strives to enable organizations to stay ahead of the curve and remain fully protected from adversaries and breaches.</span></p>
<h4><b>Additional Resources</b></h4>
<ul>
<li><em><span style="font-weight: 400;">Learn how you can </span><a href="https://www.crowdstrike.com/products/cloud-security/"><span style="font-weight: 400;">stop cloud breaches with CrowdStrike</span></a><span style="font-weight: 400;"> unified cloud security for multi-cloud and hybrid environments — all in one lightweight platform.</span></em></li>
<li><em><span style="font-weight: 400;">Build, run and secure cloud-native applications with speed and confidence using </span><a href="https://www.crowdstrike.com/products/cloud-security/"><span style="font-weight: 400;">Falcon Cloud Security</span></a><span style="font-weight: 400;">.</span></em></li>
<li><em><span style="font-weight: 400;">To learn more about the cloud threat landscape, download </span><a href="https://www.crowdstrike.com/resources/reports/threat-landscape-cloud-security/"><span style="font-weight: 400;">“Protectors of the Cloud: Combating the Rise in Threats to Cloud Environments.”</span></a><span style="font-weight: 400;"> </span></em></li>
<li><em><span style="font-weight: 400;">Visit the </span><a href="https://www.crowdstrike.com/products/cloud-security/cloud-workload-protection/"><span style="font-weight: 400;">Falcon Cloud Security CWP</span></a><span style="font-weight: 400;"> capabilities page to see if a managed detection and response solution for cloud workloads is right for your organization.</span></em></li>
<li><em><span style="font-weight: 400;">Learn how the powerful </span><a href="https://www.crowdstrike.com/falcon-platform/"><span style="font-weight: 400;">CrowdStrike Falcon<sup>®</sup> platform</span></a><span style="font-weight: 400;"> provides comprehensive protection across your organization, workers and data, wherever they are located.</span></em></li>
<li><em><a href="https://go.crowdstrike.com/try-falcon-prevent.html"><span style="font-weight: 400;">Get a full-featured free trial of CrowdStrike Falcon Prevent™</span></a><span style="font-weight: 400;"> and see for yourself how true next-gen AV performs against today’s most sophisticated threats.</span></em></li>
</ul>
</div>
<div>
<ul class="list-share-buttons">

<li class="share-button">
<a class="tweet-btn " target="_blank" rel="noopener noreferrer" href="https://twitter.com/share?text=CrowdStrike+Identifies+New+Kiss-a-Dog+Cryptojacking+Campaign+Targeting+Vulnerable+Docker+and+Kubernetes+Infrastructure&amp;url=https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/" onclick="window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');">
<span class="fa-brands fa-twitter"></span>
<span>Tweet</span>
</a>
</li>

<li class="share-button">
<a class="li-btn" target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/&amp;title=CrowdStrike+Identifies+New+Kiss-a-Dog+Cryptojacking+Campaign+Targeting+Vulnerable+Docker+and+Kubernetes+Infrastructure" onclick="window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');">
<span class="fa-brands fa-linkedin"></span>
<span>Share</span>
</a>
</li>
</ul>
</div>
<div id="blogFreeTrialSection"></div>
<h5>Related Content</h5>
<div class="row recent_articles">
<a class="col-12 col-md-4 recent_articles_item" href="/blog/key-findings-crowdstrike-2024-state-of-application-security-report/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2024/02/app-security-report-blog-post-art.jpg" alt>
</div>
<div class="post_info">
<h6>Key Findings from CrowdStrike’s 2024 State of Application Security Report</h6>
<div class="excerpt"></div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/how-to-secure-business-critical-applications/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-18.jpeg" alt>
</div>
<div class="post_info">
<h6>How to Secure Business-Critical Applications</h6>
<div class="excerpt"></div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2024/02/0124_01_Cs-Defends-Against-Azure-Attacks.jpg" alt>
</div>
<div class="post_info">
<h6>CrowdStrike Defends Against Azure Cross-Tenant Synchronization Attacks</h6>
<div class="excerpt"></div>
</div>
</a>
</div>
</div>
<div class="col-12 col-lg-4 sidebar">
<div id="blogCategorySidebar"></div>
<div id="blogSocialSidebar"></div><div id="categorySidebarBanner"></div><div id="sideBarFeaturedArticles"></div><div id="blogSubscribe"></div><div id="blogDemo"></div>
</div>
<div class="post_nav row">
<div class="col-12">
<div class="links"><span class="fa fa-angle-double-left"></span> <a href="https://www.crowdstrike.com/blog/election-security-threat-landscape/" rel="prev">Election Security: Continued Vigilance Is Key</a></div>
<div class="links"><a href="https://www.crowdstrike.com/blog/how-human-expertise-maximizes-detection-efficacy-across-machine-learning-lifecycle/" rel="next">From Data to Deployment: How Human Expertise Maximizes Detection Efficacy Across the Machine Learning Lifecycle</a> <span class="fa fa-angle-double-right"></span></div>
</div>
</div>
</div>
</article>
</main>
<footer class="simple">
<div class="container">
<div class="row">
<div class="col-md-12 top">
<span class="footer-logo"><a class="red" href="https://www.crowdstrike.com"><i class="cs-icon-cs-logo"> </i></a></span>
<ul class="row social-links">
<li class="circle-icon-outline">
<a href="https://twitter.com/CrowdStrike" target="_blank"><i class="fa-brands fa-twitter"></i></a></li>
<li class="circle-icon-outline">
<a href="https://www.facebook.com/CrowdStrike/" target="_blank"><i class="fa-brands fa-facebook"></i></a>
</li>
<li class="circle-icon-outline">
<a href="https://www.linkedin.com/company/crowdstrike" target="_blank"><i class="fa-brands fa-linkedin"></i></a>
</li>
<li class="circle-icon-outline">
<a href="http://www.youtube.com/user/CrowdStrike" target="_blank"><i class="fa-brands fa-youtube"></i></a>
</li>
</ul>
</div>
<div class="col-md-12 bottom">
<ul class="row footer-lower-links">
<li class="footer-copyright">Copyright © 2024 CrowdStrike</li>
<li><a href="https://www.crowdstrike.com/privacy-notice/">Privacy</a></li>
<li><a href="https://www.crowdstrike.com/services/request-information/">Request Info</a></li>
<li><a href="https://www.crowdstrike.com/blog/">Blog</a></li>
<li><a href="https://www.crowdstrike.com/contact-us/">Contact Us</a></li>
<li>1.888.512.8906</li>
<li><a href="#" class="cs-uw-accessibilityWidget">Accessibility</a></li>
</ul>
</div>
</div>
</div>
</footer>
</div>
</div>
</div>
<link rel="stylesheet" id="exit-promoter-style-css" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/components/exit-promoter.min.css?ver=1708658992" type="text/css" media="all" />
<script type="text/javascript" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/footer-navigation.min.js?ver=1708658992" id="footer-menu-js"></script>
<script type="text/javascript" async="async" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/theme-scripts.min.js?ver=1708658992" id="theme-scripts-js"></script>
<script type="text/javascript" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-navigation.min.js?ver=1708658992" id="blog-navigation-js"></script>
<script type="text/javascript" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/plugins/exit-promoter.min.js?ver=1708658992" id="exit-promoter-script-js"></script>
<script type="text/javascript" id="exit-promoter-script-js-after">
/* <![CDATA[ */
var exitPromoterParams = {"promoters":[{"name":"Product pages","exit_promoter_options":{"url_whitelist":[{"url":"\/products\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/security-and-it-operations\/falcon-filevantage\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-cloud-workload-protection-complete\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-device-control\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-for-macos\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-cloud-workload-protection\/container-security\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-forensics\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/identity-protection\/falcon-identity-threat-detection\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/identity-protection\/falcon-identity-threat-protection\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/identity-protection\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-for-aws\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-horizon-cspm\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-for-google-cloud-platform\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-for-azure\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-cloud-workload-protection\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/falcon-for-data-centers\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/security-and-it-operations\/falcon-spotlight-vulnerability-management\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-firewall-management\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-intelligence-automated-intelligence\/premium\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-intelligence-automated-intelligence\/elite\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-for-mobile\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-intelligence-automated-intelligence\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-prevent-antivirus\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/security-and-it-operations\/falcon-discover-network-security-monitoring\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-insight-edr\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/cloud-security\/cloud-infrastructure-entitlement-management-ciem-features\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-insight-xdr\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/bundles\/falcon-go\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-long-term-repository\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/security-and-it-operations\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-intelligence-recon\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-prevent-antivirus\/falcon-prevent-for-home-use-faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-firewall-management\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-intelligence-automated-intelligence\/premium\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-intelligence-automated-intelligence\/elite\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-for-mobile\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-intelligence-automated-intelligence\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-cyber-threat-engine\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-sandbox-malware-analysis\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-prevent-antivirus\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-insight-edr\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/security-and-it-operations\/falcon-discover-network-security-monitoring\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/managed-services\/falcon-complete\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/managed-services\/falcon-complete\/warranty-faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/endpoint-security\/falcon-device-control\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/bundles\/falcon-elite\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/bundles\/falcon-pro\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/bundles\/falcon-enterprise\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/crowdstrike-support\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-sandbox-malware-analysis\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/threat-intelligence\/falcon-cyber-threat-engine\/","is_subfolder":false,"exclusions":false},{"url":"\/products\/faq\/","is_subfolder":false,"exclusions":false},{"url":"\/services\/","is_subfolder":true,"exclusions":[{"exclude_url":"\/experienced-a-breach\/"}]},{"url":"\/events\/","is_subfolder":true,"exclusions":false},{"url":"\/free-trial-guide\/","is_subfolder":true,"exclusions":false},{"url":"\/cybersecurity-101\/","is_subfolder":true,"exclusions":[{"exclude_url":"\/cybersecurity-101\/cloud-security\/test-ep\/"},{"exclude_url":"\/cybersecurity-101\/attack-types\/test-ep\/gtr\/"}]},{"url":"\/resources\/","is_subfolder":true,"exclusions":[{"exclude_url":"\/resources\/demos\/falcon-complete-mdr\/"},{"exclude_url":"\/resources\/reports\/threat-hunting-report\/"},{"exclude_url":"\/resources\/demos\/data-protection\/"},{"exclude_url":"\/resources\/crowdcasts\/fal-con-2023-series\/"},{"exclude_url":"\/resources\/adversary-universe-podcast\/ "}]},{"url":"\/products\/identity-protection\/active-directory-risk-review\/","is_subfolder":false,"exclusions":false}],"entrance_delay":"2000","animation_speed":"333","custom_class":"","disabled":false},"columns":[{"column_options":{"background_color":"dark","background_image":{"ID":167734,"id":167734,"title":"demo-blank-falcon-hero (1)","filename":"demo-blank-falcon-hero-1-1.png","filesize":597420,"url":"\/wp-content\/uploads\/2023\/07\/demo-blank-falcon-hero-1-1.png","link":"\/demo-blank-falcon-hero-1-2\/","alt":"","author":"25","description":"","caption":"","name":"demo-blank-falcon-hero-1-2","status":"inherit","uploaded_to":0,"date":"2023-07-11 22:51:05","modified":"2023-07-11 22:51:05","menu_order":0,"mime_type":"image\/png","type":"image","subtype":"png","icon":"\/wp-includes\/images\/media\/default.png","width":857,"height":1000}},"column":[{"acf_fc_layout":"text_content","title":{"title_text":"Try CrowdStrike free for 15 days","font_size_override":"50","font_color_override":""},"text":"<style>\n.ep--content--image {<br \/>  display: none;<br \/>}<br \/>@media screen and (min-height: 876px) {<br \/>  .ep--content--image {<br \/>    display: block;<br \/>  }<br \/>}<br \/><\/style>\n<p><center><img decoding=\"async\" class=\"ep--content--image\" src=\"https:\/\/www.crowdstrike.com\/wp-content\/uploads\/2023\/04\/real-time-visibility.jpeg\" \/><\/center><strong>Total protection has never been easier.<br \/>\nTake advantage of our free 15-day trial and explore the most popular solution for your business:<\/strong><\/p>\n<p>&#8211; Protect against malware with next-gen antivirus.<br \/>\n&#8211; Get unrivaled visibility with USB device control.<br \/>\n&#8211; Simplify your host firewall management.<br \/>\n&#8211; Receive real-time insights with automated threat intelligence.<\/p>\n","ctas":false}]},{"column_options":{"background_color":"light","background_image":false},"column":[{"acf_fc_layout":"form_content","form_title":"","form_subtitle":"Try it free","form_urlid":"5554","form_height":"900","form_privacy_message":"By clicking submit, I consent to the processing of my contact information by CrowdStrike and its partners, including to CrowdStrike contacting me and sharing my contact information with its partners. I acknowledge that CrowdStrike will use and keep my contact information for as long as necessary for these purposes in accordance with its <a href=\"\/privacy-notice\/\" target=\"_blank\">Privacy Notice<\/a>","form_ty_url":"\/products\/trials\/try-falcon-ep\/thank-you\/"}]}]},{"name":"Cloud AB Test","exit_promoter_options":{"url_whitelist":[{"url":"\/cybersecurity-101\/cloud-security\/test-ep\/","is_subfolder":false,"exclusions":false}],"entrance_delay":"2000","animation_speed":"333","custom_class":"","disabled":false},"columns":[{"column_options":{"background_color":"primary","background_image":false},"column":[{"acf_fc_layout":"text_content","title":{"title_text":"Cloud threats are on the rise","font_size_override":"0","font_color_override":""},"text":"<p><center><img decoding=\"async\" src=\"\/wp-content\/uploads\/2022\/06\/protectors-cloud-ebook-thumb.png\" \/><\/center>Discover the top threats, who is behind them, and what you can do to stop them.<\/p>\n","ctas":false}]},{"column_options":{"background_color":"dark","background_image":false},"column":[{"acf_fc_layout":"form_content","form_title":"","form_subtitle":"Download the Cloud\r\nThreat Report","form_urlid":"3716","form_height":"700","form_privacy_message":"","form_ty_url":""}]}]},{"name":"GTR CS101 EP","exit_promoter_options":{"url_whitelist":[{"url":"\/cybersecurity-101\/attack-types\/test-ep\/gtr\/","is_subfolder":false,"exclusions":false}],"entrance_delay":"2000","animation_speed":"333","custom_class":"","disabled":false},"columns":[{"column_options":{"background_color":"dark","background_image":false},"column":[{"acf_fc_layout":"text_content","title":{"title_text":"CrowdStrike discovers 33 newly named adversaries","font_size_override":"0","font_color_override":""},"text":"<p><center><img decoding=\"async\" src=\"\/wp-content\/uploads\/2023\/02\/GTR2023_Social_Banners_04_Resource-center-banner-825-x-360-GTR.png\" \/><\/center><br \/>\n<strong><span style=\"font-size: large;\">Get the latest threat intelligence and eCrime data from cyberattacks in 2022.<\/span><\/strong><\/p>\n","ctas":false}]},{"column_options":{"background_color":"light","background_image":false},"column":[{"acf_fc_layout":"form_content","form_title":"","form_subtitle":"","form_urlid":"2069","form_height":"830","form_privacy_message":"","form_ty_url":""}]}]},{"name":"test-ep-8286","exit_promoter_options":{"url_whitelist":[{"url":"\/test-form-gtr-3726-ep-8286\/","is_subfolder":false,"exclusions":false}],"entrance_delay":"500","animation_speed":"333","custom_class":"","disabled":false},"columns":[{"column_options":{"background_color":"light","background_image":false},"column":[{"acf_fc_layout":"form_content","form_title":"Test Form 8286","form_subtitle":"","form_urlid":"8286","form_height":"500","form_privacy_message":"Test privacy message.","form_ty_url":""}]}]}]}
/* ]]> */
</script>
</body>
</html>